International machine safety standards
Anticipated international machine safety standards improve design flexibility and safety performance.
Keeping up with changing safety standards is nothing new for machine builders. But the international safety standards mandated by the European Commission’s Machinery Directive are reshaping how global machine builders approach machine safety system design.
As it relates to functional safety, EN 954-1, the standard that categorizes safety levels, is being superseded by two standards that will coexist. Machine builders and integrators can choose to conform to the requirements of EN ISO 13849-1 or EN/IEC 62061 to demonstrate compliance with the machinery directive. The European Commission extended the deadline (originally Dec. 29, 2009) for transition from EN 954-1 to EN/ISO 13849-1 until Dec. 31, 2011. This additional period of time should be viewed as an additional transition period, not as an extension to EN 954-1.
With this adoption of these functional safety standards, designers will need to assess the reliability of safety components by adding a quantitative calculation to the control safety system design. While this means more steps and procedures, it also offers benefits. Namely, these standards result in a methodical approach that can lead to machinery with more predictable performance, greater reliability and availability, and improved return on investment.
EN ISO 13849-1 (“Safety of machinery, Safety-related parts of control systems”) builds on EN 954-1, specifying system reliability in one of five performance levels (PLs) based on a “hardware-oriented structure,” calculated mean time to dangerous failure, and diagnostic coverage of the safety function. A significant revision in the standard requires defining the statistical probability of an unwanted occurrence or failure. In other words, it forces the designer to validate that the control system does what is required of it. This standard applies beyond electric/electronic systems to include mechanical, hydraulic, and pneumatic safety related parts of the control systems.
EN/IEC 62061 (“Safety of Machinery—Functional safety of safety-related electrical, electronic and programmable electronic control systems”) describes the amount of risk to be reduced and the ability of a control system to reduce that risk in terms of safety integrity level (SIL). The machinery sector uses three SILs; SIL 1 is the lowest and SIL 3 is the highest. A SIL applies to a safety function. The subsystem making up the system that implements the safety function must have an appropriate SIL capability.
Less complexity, better reliability
Historically, standards mostly were prescriptive in nature and simply provided guidance on the structure of control systems to ensure that safety requirements were met. In fact, some people considered EN 954-1 to be an overly simplistic approach because it did not require designers to assess the reliability of safety components in relationship to time. Using the principles of redundancy, diversity, and diagnostics, categories of safety system “structures” were created to help ensure that the safety function would be performed. But a very important element was missing: time.
Functional safety adds a “time” element to build on the existing safety structure (category) approach. This addition instills a reinforcing level of confidence that the safety system will perform properly today and tomorrow. In other words, designers have more information—and therefore more confidence—about the reliability of the safety function. The time element causes more up-front pain for safety component suppliers because of the increased product testing and performance documentation requirements. However, in the long run, it should result in less pain for machine operators and safety system designers due to the ability to quantify circuit reliability.
Ability to define performance requirements will give designers more flexibility to tailor their circuits to meet the specific needs of the application, rather than generalizing the overall design based on the simpler, more prescriptive requirements of the past.
For example, in conducting a risk assessment under EN ISO 13849-1, a designer may find that Performance Level d is required. The bar chart reveals four alternatives. A Category 2 (zero fault tolerant) structure with a very high mean time to dangerous failure and low diagnostic coverage may be the least expensive solution. At the other end of the spectrum, a Category 3 (single fault tolerant) system with medium diagnostics may be the ideal solution. Rather than taking a conservative approach and potentially overcompensating on the design, this approach gives designers more flexibility to specify a more optimum level of safety to meet the individual application demands.
Standard EN (IEC) 62061 offers similar flexibility. For example, a risk assessment performed in a different safety application may determine the need for a SIL 2 rating. The table gives three options for achieving SIL 2. The trade-off is hardware fault tolerance with diagnostics. With zero fault tolerance (single channel), 90% to 99% of the failures that occur must be safe failures. If a single channel system with appropriate diagnostics is too difficult or expensive to achieve, then a single fault tolerant structure (dual channel) with a lower safe failure fraction can be used. The third alternative is a two fault tolerant system (two out of three channel) with little or no diagnostics (less than 60% safe failures).
In all instances, the ability to tailor the specific safety functions to the application helps reduce cost and complexity, improves machine sustainability, and helps achieve a more optimum level of safety for each particular safety circuit or function.
This performance-based approach also makes it easier for designers to quantify and justify the value of safety. Previously, a designer may have had difficulty understanding—or explaining—why a costly or seemingly sophisticated safety system was needed for a particular application; it was simply required per the standard. Now, with the ability to quantify circuit reliability through specific performance and system integrity calculations, the designer can show the value in terms of actual risk reduction and thereby more easily justify safety expenditures.
To meet the safety standards, each component in the safety system must have an assigned probability of dangerous failure or mean time to dangerous failure. Historically, this type of information has not been widely available, though it is now. Most manufacturers are recertifying their products to meet the performance level requirements, as well as SIL ratings. This all takes time, but the results will mean better safety system designs with more quantifiable results.
The current challenge for machine builders is two-fold. First, they need to understand what the requirements of the Machinery Directive are and how these impact design and component selection. Second, they need to understand the documentation requirements and begin gathering the functional safety data needed from the component suppliers to support their safety designs with either an SIL or PL for the system.
Many electronic component safety manufacturers are embracing the standards by indicating the SIL level the system containing the safety component could achieve, and by supplying safety data for PL and SIL verification. This allows designers to take that information and perform the necessary calculations to meet the application requirements per the standards.
Component suppliers also are offering education and training programs, and tools to help reduce the documentation complexity. Rockwell Automation, for instance, provides a product library file designed for use with the Sistema calculation tool. The Sistema tool, developed by Germany’s IFA organization, automates calculation of the attained PL of the safety-related parts of a machine’s control system in the context of EN ISO 13849-1.
This tool and product libraries from component suppliers provide machinery and control system designers with comprehensive support in the evaluation of safety in the context of EN ISO 13849-1. Engineers are spared time-consuming consultation of tables and calculations of formulae since the software performs these tasks. Final results can be printed in a multiple-page report. )
The machine safety world continues to change, and the European Union’s mandate of rigorous international safety standards represents a giant leap forward. Ultimately, the standards will provide safer machine control systems and more flexibility to achieve and cost-justify safer designs. Though the deadline is months away, machine builders should take steps now to evaluate the directive’s impact on their equipment and prepare accordingly before the directive becomes mandatory.
Mike Miller is FS TÜV expert, global safety market development, and Wayne Solberg is global technical consultant, with Rockwell Automation.